Scenario:-------------Webagent name: test_agentProtected URLs: /application1 /application2
We want to protect /application1 at authentication level 10 and /application2 at authentication level 5.
Are the below configuration possible for the same webagent: test_agent:
1. If a user tries to access resource /application1, the webagent returns a level 10 SMSESSION cookie.2. If a user tries to access resource /application2, the webagent returns a level 5 SMSESSION cookie.
Yes this is supported.
Realm-1 : /application-1 --> Protected using AuthScheme-Level-10.
Realm-2 : /application-2 --> Protected using AuthScheme-Level-5.
If it is two different applications, I'd separate them into two different Policy Domains.
test_agent --> AgentGroup-App1 --> Realm-1 : /application-1 --> Protected using AuthScheme-Level-10.
test_agent --> AgentGroup-App2 --> Realm-1 : /application-2 --> Protected using AuthScheme-Level-05.
We hope you are aware of the rule of SSO & User Experience when traversing across realms which has different Authentication levels.
Thank you for your prompt response.
Just to reconfirm, we using only one policy domain.
Can you point me to the Siteminder guide where this is documented - wrt the fact that one webagent can protect resources at different auth levels on the same policy domain ?
Thank you for your help.
Hopefully this helps!
Now if we are specifically looking for a statement "Single/Same WebAgent protecting two unique resources with their respective realms & auth scheme on different protection level", I doubt we are going find such a statement.
Thank you Hubert.
In our organization, we have a custom authentication scheme levels: 5, 10, 15.
level 0 is for unprotected resources. Level 15 for the highest security resources.
For the current webagent there is only one realm with authentication scheme: level 10 - that is currently protecting /application1
So basically, we will have to add one more realm with level 5 and protect /application2 URI against this new realm.
Is this understanding correct ?
Also I found the below document which has instructions on creating a new realm.
In summary, we can refer to this documentation to create the new realm at level 5 for the same webagent and protect URI /application2. Please confirm.
Thank you for all your help.
The Protection Level is defined within the Authentication Scheme.
We create the realm (with resource filter i.e. URI to be protected) and associate the Authentication Scheme to the realm. That is how the protection level from the Authentication Scheme gets applied to the Realm.
Thank you Hubert. This helps a lot.